{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2714", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-18T20:53:06.985Z", "datePublished": "2026-04-22T07:45:32.177Z", "dateUpdated": "2026-04-22T07:45:32.177Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:32.177Z"}, "affected": [{"vendor": "weblizar", "product": "Institute Management \u2013 Learning Management System", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Institute Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Enquiry Form Title' setting in all versions up to, and including, 5.5. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Institute Management <= 5.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Enquiry Form Title' Setting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1fd62c3d-2c15-4d1c-9210-4c2aca379fe3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/institute-management/trunk/admin/inc/wl_im_settings.php#L47"}, {"url": "https://plugins.trac.wordpress.org/browser/institute-management/tags/5.5/admin/inc/wl_im_settings.php#L47"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ritesh Sahu"}], "timeline": [{"time": "2026-02-18T20:53:19.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Institute Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Enquiry Form Title' setting in all versions up to, and including, 5.5. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2026-2714", "lastModified": "2026-04-22T09:16:20.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:20.817", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/institute-management/tags/5.5/admin/inc/wl_im_settings.php#L47"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/institute-management/trunk/admin/inc/wl_im_settings.php#L47"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1fd62c3d-2c15-4d1c-9210-4c2aca379fe3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T09:28:20.843501+00:00", "value": {"mitigation_remediation": ["Upgrade the Institute Management plugin to the latest available version, where the Enquiry Form Title input is properly sanitized and escaped.", "If an upgrade is not immediately possible, clear or disable the Enquiry Form Title setting for all non\u2011essential sites, or reset it to a safe, static string to prevent script injection.", "Review and restrict the unfiltered_html capability so it is granted only to trusted super\u2011administrators, and audit site roles to ensure only necessary permissions are assigned."], "summary": {"action": "Patch Plugin", "impact": "Stored Cross\u2011Site Scripting that can be used by privileged users to run malicious scripts in other users\u2019 browsers"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the Institute Management \u2013 Learning Management System plugin from weblizar, version 5.5 or earlier, on a multisite network or where the unfiltered_html capability has been disabled. Only installations where the Enquiry Form Title setting is exposed to administrators are affected.", "description_and_impact": "The Institute Management plugin stores the text entered for the \u2018Enquiry Form Title\u2019 without proper sanitization or output escaping. This allows an authenticated Administrator to inject arbitrary JavaScript that will execute whenever a user visits the form page, potentially hijacking sessions, stealing credentials, or executing further malicious payloads. The flaw is a classic stored XSS, directly impacting the confidentiality and integrity of all site visitors who load the affected page.", "risk_and_exploitability": "The CVSS score of 4.4 classifies the vulnerability as low severity, and no EPSS data is available, indicating no current evidence of exploitation. The flaw requires authenticated access at the Administrator level and is limited to installations with unfiltered_html disabled, which reduces the risk surface. The likely attack vector is through the WordPress admin interface where the Enquiry Form Title field is edited. Although the vulnerability is not listed in the CISA KEV catalog, any compromise of an administrator account could enable session theft or defacement for site users."}}}}, "created": "2026-04-22T09:30:13.557935+00:00", "updated": "2026-04-22T09:30:13.557952+00:00", "vendors": []}